Cisco Cisco Email Security Appliance C650 Guía Del Usuario
29-17
Cisco AsyncOS 8.5.5 for Email Security User Guide
Chapter 29 Policy, Virus, and Outbreak Quarantines
Working with Messages in Policy, Virus, or Outbreak Quarantines
About Rescanning of Quarantined Messages
When a message is released from all queues in which is has been quarantined, the following rescanning
occurs, depending on the features enabled for the appliance and for the mail policy that originally
quarantined the message:
occurs, depending on the features enabled for the appliance and for the mail policy that originally
quarantined the message:
•
Messages released from Policy and Virus quarantines are rescanned by the anti-virus engine.
•
Messages released from the Outbreak quarantine are rescanned by the anti-spam and anti-virus
engines. (For information about rescanning of messages while in the Outbreak quarantine, see
engines. (For information about rescanning of messages while in the Outbreak quarantine, see
•
Messages with attachments are rescanned by the file reputation service upon release from Policy,
Virus, and Outbreak quarantines.
Virus, and Outbreak quarantines.
Upon rescanning, if the verdict produced matches the verdict produced the previous time the message
was processed, the message is not re-quarantined. Conversely, if the verdict is different, the message
could be sent to another quarantine.
was processed, the message is not re-quarantined. Conversely, if the verdict is different, the message
could be sent to another quarantine.
The rationale is to prevent messages from looping back to the quarantine indefinitely. For example,
suppose a message is encrypted and therefore sent to the Virus quarantine. If an administrator releases
the message, the anti-virus engine will still not be able to decrypt it; however, the message should not
be re-quarantined or a loop will be created and the message will never be released from the quarantine.
Since the two verdicts are the same, the system bypasses the Virus quarantine the second time.
suppose a message is encrypted and therefore sent to the Virus quarantine. If an administrator releases
the message, the anti-virus engine will still not be able to decrypt it; however, the message should not
be re-quarantined or a loop will be created and the message will never be released from the quarantine.
Since the two verdicts are the same, the system bypasses the Virus quarantine the second time.
The Outbreak Quarantine
The Outbreak quarantine is present when a valid Outbreak Filters feature license key has been entered.
The Outbreak Filters feature sends messages to the Outbreak quarantine, depending on the threshold set.
For more information, see
The Outbreak Filters feature sends messages to the Outbreak quarantine, depending on the threshold set.
For more information, see
The Outbreak quarantine functions just like other quarantines—you can search for messages, release or
delete messages, and so on.
delete messages, and so on.
The Outbreak quarantine has some additional features not available in other quarantines: the Manage by
Rule Summary link, the Send to Cisco feature when viewing message details, and the option to sort
messages in search results by the Scheduled Exit time.
Rule Summary link, the Send to Cisco feature when viewing message details, and the option to sort
messages in search results by the Scheduled Exit time.
If the license for the Outbreak Filters feature expires, you will be unable to add more messages to the
Outbreak quarantine. Once the messages currently in the quarantine have expired and the Outbreak
quarantine becomes empty, it is no longer shown in the Quarantines listing in the GUI.
Outbreak quarantine. Once the messages currently in the quarantine have expired and the Outbreak
quarantine becomes empty, it is no longer shown in the Quarantines listing in the GUI.
Rescanning Messages in an Outbreak Quarantine
Messages placed in the Outbreak quarantine are automatically released if newly published rules deem
the quarantined message no longer a threat.
the quarantined message no longer a threat.
If anti-spam and anti-virus are enabled on the appliance, the scanning engines scan every message
released from the Outbreak quarantine based on the mail flow policy that applies to the message.
released from the Outbreak quarantine based on the mail flow policy that applies to the message.
Manage by Rule Summary Link
Click the Manage by Rule Summary link next to the Outbreak quarantine in the quarantine listing to view
the Manage by Rule Summary page. You can perform message actions (Release, Delete, Delay Exit) on
all of the messages in the quarantine based on which outbreak rule caused the message to be quarantined.
the Manage by Rule Summary page. You can perform message actions (Release, Delete, Delay Exit) on
all of the messages in the quarantine based on which outbreak rule caused the message to be quarantined.